Do world-writable systemd .service files created as symbolic links in /etc/systemd/system impose a security threat?

Do world-writable systemd .service files created as symbolic links in /etc/systemd/system impose a security threat?

Would it be possible to somehow modify the links to target arbitrary .service files on the system, and make systemd execute those files as root?

The permissions for the /etc/systemd/system directory is as follows:

drwxr-xr-x. 11 root root 4096 Aug 30 12:57 /etc/systemd/system/ 

and the world-writable links in this directory are:

1050594    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:53 /etc/systemd/system/ -> /dev/null 1050595    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:54 /etc/systemd/system/sensu-server.service -> /dev/null 1052003    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:54 /etc/systemd/system/sensu-api.service -> /dev/null 1052037    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:55 /etc/systemd/system/dataeng.service -> /dev/null 

Ubuntu 19.04 systemd runs script on USB Drive insertion, but fails to start gnome-terminal

first post here…

Looking for some assistance please

I have a systemd process that runs on usb drive insertion, however, I need the terminal to open with this systemd command and it is continually failing to start. By the looks of the systemctl status log when I run “sudo systemctl status elements-usb.service” it would appear the environmentals are wrong or the syntax of my command.

monster@monster-laptop:~$ sudo systemctl status elements-usb.service

Warning: The unit file, source configuration file or drop-ins of elements-usb.service changed on disk. Run ‘systemctl daemon-reload’ to reload units.

● elements-usb.service – elements-usb-trigger Loaded: loaded (/etc/systemd/system/elements-usb.service; enabled; vendor preset: enabled)

Active: failed (Result: exit-code) since Fri 2019-08-23 15:05:30 BST; 4s ago

Process: 26361 ExecStart=/usr/bin/dbus-launch gnome-terminal –command=bash -c ‘/home/monster/.storage-scripts/elements-run-on-mount; $ SHELL’ (code=exited, status=1/FAILURE) Main PID: 26361 (code=exited, status=1/FAILURE)

Aug 23 15:05:30 monster-laptop systemd[1]: Started elements-usb-trigger.

Aug 23 15:05:30 monster-laptop dbus-daemon[26382]: [session uid=0 pid=26371] AppArmor D-Bus mediation is enabled

Aug 23 15:05:30 monster-laptop dbus-launch[26361]: # Option “–command” is deprecated and might be removed in a later version of gnome-terminal.

Aug 23 15:05:30 monster-laptop dbus-launch[26361]: # Use “– ” to terminate the options and put the command line to execute after it.

Aug 23 15:05:30 monster-laptop dbus-launch[26361]: Unable to init server: Could not connect: Connection refused

Aug 23 15:05:30 monster-laptop dbus-launch[26361]: # Failed to parse arguments: Cannot open display:

Aug 23 15:05:30 monster-laptop systemd[1]: elements-usb.service: Main process exited, code=exited, status=1/FAILURE

Aug 23 15:05:30 monster-laptop systemd[1]: elements-usb.service: Failed with result ‘exit-code’.

the systemd command runs the following:

[Unit] Description=elements-usb-trigger Requires=home-usb\x2dstorage.mount After=home-usb\x2dstorage.mount

[Service] ExecStart=dbus-launch gnome-terminal –command=”bash -c ‘/home/monster/.storage-scripts/elements-run-on-mount; $ SHELL'”

[Install] WantedBy=home-usb\x2dstorage.mount

Any clues plse? I’m at a loss now

Systemd long boot

Good day. I have a Dell Latitude 6440 -intel i5-4310 laptop, 8GB RAM disk – SSD. System on SD card – Ubuntu Mate 18.04.3 kernel 5.2.8. with encrypted partition / home. This is what system-analyze looks like: Startup finished in 8.807s (firmware) + 30.926s (loader) + 3.776s (kernel) + 32.108s (userspace) = 1min 15.618s reached after 32.101s in userspace Tell me what is it responsible for and what is the loader + 30,926s ?? How to speed it up? Thank you.

running a python tkinter gui on startup using systemd

i created a GUI on python/tkinter and i need it to run on startup, can this be done using systemd or do i need to turn the script into an executable because so far every attempt at trying to use systemd as resulted in:

(code=exited, status1/failure) 

is this just a problem with how i configured the .service file or can systemctl not be used to do this?

Erase /home/ from casper-rw overlay on shutdown (systemd service)

In my company we use a USB bootable live stick with Ubuntu (erm… Xubuntu) 18.04 to do job interviews. It has a bunch of tools (three or four IDEs, a couple of database GUI viewers…) and a toy project to ask questions about.

That USB stick has a Casper-RW overlay partition for persistent storage (created with mkusb). Said partition is mostly used to store Docker images and to keep some start-up values that can change a bit depending on which machine the stick is plugged into.

That partition is mounted “manually” in /media/overlay by adding the following line mkdir --parents /media/overlay/ && mount -L casper-rw /media/overlay/ to the file rc.local (thank you @sudodus for answering my previous question).

Now, that casper-rw persistance layer is working great… Maybe too great. We would like to erase the /home/<user> directory where the .bash_history and other changes made by the interviewee have been stored when we shut down the test environment (test environment… meaning: the laptop where the interviewee has been doing stuff).

Thanks to these answers (Unix&Linux, AskUbuntu) I created a systemd service that… kindaaaa does what I want, it’s just it seems to do it when the system boots, not when it’s going down. Is not a huge deal, is just… it bugs me a little 😀

This is the systemd service I created in /etc/systemd/clear-stick.service:

[Unit] Description=Cleans-up interview sticker RequiresMountsFor=/media/overlay/ DefaultDependencies=no casper.service  [Service] Type=oneshot ExecStart=/usr/local/bin/ ExecStop=/usr/local/bin/ RemainAfterExit=true  [Install] 

I suspect it’s only running the ExecStart line on boot, rather than the ExecStop line on shutdown. If I make changes to the /home/ directory, power off the computer and mount the stick somewhere else, the changes are still there. Plus, if I look at the logs in journcalctl I only see references to Cleans-up interview sticker surrounded by what seems start sequences of other services. Yet, I’m not 100% sure whether this happens because the .service definition is wrong (very likely) or because I don’t fully understand how the casper-rw overlay works and eventhough the .service is run on shutdown, it can’t clear the /media/overlay/home/interviewee directory?.

And just in case it’s relevant, this is the content of /usr/local/bin/

#!/bin/bash  had_to_mount="false"; if [[ ! -d "/media/overlay/upper/" ]]; then     mount -L casper-rw /media/overlay/     had_to_mount="true"; fi  if [[ -d "/media/overlay/upper/home/interviewee/" ]]; then     echo "Removing interviewee /home";     rm -rf "/media/overlay/upper/home/interviewee/"; else     echo "interviewee /home/ not found" fi  if [[ -f /root/.bash_history ]]; then     rm /root/.bash_history; fi  if [[ "$  {had_to_mount}" == "true" ]]; then        umount /media/overlay; fi         

Using find in systemd service results in error: ‘paths must precede expression’

I’m trying to create an exclude file, before my backup runs. Using this simple find command produces the correct output, but it fails when used in a systemd service. I think because of find escaping.

Is there an alternative to chevron or piping? or a correct way to escape characters? Thanks

error: find[20029]: /usr/bin/find: paths must precede expression:>’

My service:

[Unit] Description=Restic backup service [Service] Type=oneshot ExecStartPre=/usr/bin/find /home/jake/finished/ -size +1G > /etc/restic/exclude_large.lst ExecStart=/usr/bin/restic backup --verbose --one-file-system --tag systemd.timer $  BACKUP_EXCLUDES $  BACKUP_PATHS ExecStartPost=/usr/bin/restic forget --verbose --tag systemd.timer --group-by "paths,tags" --keep-daily $  RETENTION_DAYS --keep-weekly $  RETENTION_WEEKS --keep-monthly $  RETENTION_MONTHS --keep-yearly $  RETENTION_YEARS EnvironmentFile=/etc/restic/restic-backup.conf 

systemd: how to setup desktop environment without display manager?

I’d like to completely avoid DM phase and run straight into desktop environment. Is there any systemd service for that?

All that is needed is to correctly restart Xorg when it is killed by Ctrl + Alt + Backspace and not restart it when it was killed by a crash or another measure. So any ready solutions would be greatly appreciated.

Notes on 19.04 and prior versions (in my particular setup):

  • Autologin is broken in LXDM.
  • Ctrl+Alt+Backspace is broken in LXDM.
  • SDDM is broken and doesn’t start.
  • Good user-friendly and nicely working KDM is gone.

veth down after reboot on bionic beaver (netplan) systemd

First, please forgive my lame markdown skills.

Running Bionic Beaver: host:~# lsb_release -a Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic Can’t seem to figure out the best way to make sure my veth devices automatically “link up” after reboot.

My use case for the veth: I use them for attaching local network bridges to containers. I do this because attaching docker macvlan directly to the bridge inhibits communication between the containers and their host.

Now that that is out of the way:
I’ve tried putting: ip link set veth1a up ip link set veth5a up in /etc/rc.local I had to create new and add execute permissions, but did nothing upon reboot.

I have the interfaces listed in netplan, but this only successfully brings up the bridge side of the veth e.g veth1b: network: ethernets: enp131s0f0: dhcp4: false enp131s0f1: dhcp4: false enp6s0: dhcp4: false enp7s0: dhcp4: false veth1a: dhcp4: false veth1b: dhcp4: false veth5a: dhcp4: false veth5b: dhcp4: false bridges: br0: dhcp4: true interfaces: - enp6s0 - enp7s0 - veth1b br5: dhcp4: false interfaces: - vlan5 - veth5b vlans: vlan5: id: 5 link: br0 dhcp4: false version: 2 I also have some systemd configs to create the veths in the first place, but I don’t know how to tell systemd to “admin up” the veth1a and veth5a. This is what I need help with. host:~# cat /etc/systemd/network/25-veth-* [NetDev] Name=veth1a Kind=veth [Peer] Name=veth1b [NetDev] Name=veth5a Kind=veth [Peer] Name=veth5b

How to get celery worker running on ubuntu 18 in systemd

I’m trying to run a Celery worker using systemd and I have followed the official documentation plus some blog guides but the worker doesnt start, instead shows:

Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 systemd[1]: Started Celery workers. Jun 30 07:13:49 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10878]: celery multi v3.1.24 (Cipater) Jun 30 07:13:49 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10878]: > w1@ubuntu-s-1vcpu-1gb-sgp1-01: DOWN 

I have the followinf config in my /etc/systemd/system/celery.service:

[Unit] Description=Celery workers  [Service] Type=forking User=root Group=root  # PIDFile=/var/run/celery/  WorkingDirectory=/home/isppme/isppme_wa/ ExecStart=/bin/bash -c '/home/isppme/bin/celery multi start w1 worker --time-limit=300 -A isppme.taskapp --concurrency=8 --loglevel=DEBUG --logfile=/var/log/celery/w1%$   ExecStop=/bin/bash -c '/home/isppme/bin/celery multi stopwait w1 --pidfile=/var/run/celery/' ExecReload=/bin/sh -c '/home/isppme/bin/celery multi restart w1 -A isppme.taskapp --pidfile=/var/run/celery/ --logfile=/var/log/celery/w1%I.log --loglevel=DEBUG'  [Install]  

This is the output from the service’s log:

Jun 30 07:13:43 ubuntu-s-1vcpu-1gb-sgp1-01 systemd[1]: Starting Celery workers... Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10809]: celery multi v3.1.24 (Cipater) Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10809]: > Starting nodes... Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10809]:         > w1@ubuntu-s-1vcpu-1gb-sgp1-01: OK Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10809]:         > worker@ubuntu-s-1vcpu-1gb-sgp1-01: OK Jun 30 07:13:45 ubuntu-s-1vcpu-1gb-sgp1-01 systemd[1]: Started Celery workers. Jun 30 07:13:49 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10878]: celery multi v3.1.24 (Cipater) Jun 30 07:13:49 ubuntu-s-1vcpu-1gb-sgp1-01 bash[10878]: > w1@ubuntu-s-1vcpu-1gb-sgp1-01: DOWN   

How to start a systemd service with complex arguments?

I want to stream video from a Raspberry Pi with a USB camera using mjpg-streamer. Here is the commandline to start it from a bash shell:

./mjpg_streamer  -i "./" -o "./ -w ./www -p 8000" 

This works fine.

I have created the service file /lib/systemd/system/mjpg-streamer.service:

[Unit] Description=USB camera streaming service  [Service] Environment=LD_LIBRARY_PATH=/home/pi/mjpg-streamer EnvironmentFile=./mjpg-streamer.conf ExecStart=/home/pi/mjpg-streamer/mjpg_streamer $  {ARG1} $  {ARG2} StandardOutput=null Restart=always RestartSec=10  [Install] 

Here is my environment file /lib/systemd/system/mjpg-streamer.conf:

ARG1=-i "./"  ARG2=-o "./ -w ./www -p 8000" 

The service starts, but the arguments are not being passed in correctly.